From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 06 18:40:26 2021 Received: (at submit) by debbugs.gnu.org; 6 Apr 2021 22:40:27 +0000 Received: from localhost ([127.0.0.1]:42233 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTuN0-0000t4-MV for submit@debbugs.gnu.org; Tue, 06 Apr 2021 18:40:26 -0400 Received: from lists.gnu.org ([209.51.188.17]:56080) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTuMy-0000sw-SK for submit@debbugs.gnu.org; Tue, 06 Apr 2021 18:40:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58724) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTuMx-0007Sh-Fa for bug-guix@gnu.org; Tue, 06 Apr 2021 18:40:24 -0400 Received: from mail.zaclys.net ([178.33.93.72]:36723) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTuMo-00040e-H3 for bug-guix@gnu.org; Tue, 06 Apr 2021 18:40:23 -0400 Received: from [192.168.1.115] (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 136Me9ob008145 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 7 Apr 2021 00:40:09 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 136Me9ob008145 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617748809; bh=gq1aCB/ajQ92WI8YN4k0uwKMGI+zbv5NAuIZw6t6dDo=; h=Subject:From:To:Date:From; b=IQacYDQznfI9VFy8zkeLUrodZClm2qinyyE/44wZXpztAYX7f5I1bEeozr25vx3Le uDiPHuwWxuVYd28Upbyu395lZ0hsVlJtqXiJknlN/nv5Z6NwAojZlkm/TcK8H5B2w9 NIcOr7nG9YmgnY/TOseAO8KX9iBAYJgUvBZQoJpo= Message-ID: <38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net> Subject: syncthing package is vulnerable to CVE-2021-21404 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: bug-guix@gnu.org Date: Wed, 07 Apr 2021 00:40:03 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-OqnRjtrBkMTSY/RlyOLS" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: CVE-2021-21404 06.04.21 22:15 Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a rel [...] Content analysis details: (1.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [209.51.188.17 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [209.51.188.17 listed in wl.mailspike.net] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 2.8 MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-OqnRjtrBkMTSY/RlyOLS Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable CVE-2021-21404 06.04.21 22:15 Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it's likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0. We still ship 1.5.0, we crucially need to update that *very* useful networked daemon package. With the new go importer maybe that's easier. Also work in the go build system needs to happen IIRC. Previous discussion about updating syncthing:=20 https://issues.guix.gnu.org/45476 L=C3=A9o --=-OqnRjtrBkMTSY/RlyOLS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBs40MACgkQRaix6GvN EKaxnA/7BcM43O5eKXtzPLXkleZi2pMG1MYsvPjTCjabTJLOtPGzJES8bTAssC7n 4l0R4YIw03H7SvRLvpUJCTxpcHRr56HOcaOHBnkad4C0L1pdIkyZpMS9dzZ3R/E0 m+B1zsEq7o3bxlWhnQKfbaIFfIpC6IV78Nos+pntn2o4ICE7pTM6MuFcAiTw7RoP 1z0jXIh5EXfADwdULVvFAC83ybOOTG4nsdHs4yJbC4uJXcPH1fYRUgFocLNcSd4E qefsisDCGFMTNZvQLfeBY0mSVxa5LgwOibGLaqoLtfQmBnaGqkRPmZMr3omj81f0 opRyu1/mspBQ+EqcjiSzyK6xw01cKQQQK+EvrBdo2+bRe6VTja4HWZJRqcfahJo3 12K8pQgG4RrN5wLiEj7OaC4RJyC/iZBAu/M/epgKVX39hHu6RIkq1iqKCGodv5XN U7B3lRwoB/f03uSAfGhHLFlRqgvEhpWeuLkJYHAZd2fW7qh5C8yj/lsxVlerb731 Kz7CUJFp4wytZKrxP201OLElqMLetggVHVbxsqC+AAEO0+aX0Muy+exxI2Exs95/ hTnHo8gTg/LlI11LsMH+T+v0LnzYlMZjIfc0zgy6dEHINapF+mXhf6opY6W07yqC qVAe7qULiq5+CR63vq5aPkv+LsvNx7ObC7GybJoZbVV4xMwdkac= =RvYl -----END PGP SIGNATURE----- --=-OqnRjtrBkMTSY/RlyOLS-- From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 06 18:41:31 2021 Received: (at control) by debbugs.gnu.org; 6 Apr 2021 22:41:31 +0000 Received: from localhost ([127.0.0.1]:42240 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTuO3-0000vM-11 for submit@debbugs.gnu.org; Tue, 06 Apr 2021 18:41:31 -0400 Received: from mail.zaclys.net ([178.33.93.72]:40803) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTuO1-0000vB-QG for control@debbugs.gnu.org; Tue, 06 Apr 2021 18:41:30 -0400 Received: from [192.168.1.115] (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 136MfOrT008193 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 7 Apr 2021 00:41:24 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 136MfOrT008193 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617748884; bh=mv7dbTbgEUgvc68DWJFOpwpfEjoDotUePemn2GsGtmo=; h=Subject:From:To:Date:From; b=nJv0R57oBSBFJS2pjmEoahr5dV0uDscLH6tEI9GmHyvdUcAnMmXxDEgRffQ49mVMJ 6l+iZ6S28NDd9Ygb1MsKnnVdwxMM2eEixsxdTU0psL7a3Gk2C6Pc1r0dR47g66Lc0b sntcckrewdFLEfQgXO+xknkap/WF+DYA2pj6SQzw= Message-ID: Subject: From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: control@debbugs.gnu.org Date: Wed, 07 Apr 2021 00:41:23 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-LSdEfj9iYCN11YKyN9tO" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 47627 + security quit Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 2.0 BLANK_SUBJECT Subject is present but empty X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) --=-LSdEfj9iYCN11YKyN9tO Content-Type: text/plain Content-Transfer-Encoding: quoted-printable tags 47627 + security quit --=-LSdEfj9iYCN11YKyN9tO Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBs45MACgkQRaix6GvN EKa1Gw//a5PF0y7Ohg/8s5eAnRV3YxggYoqZ82Y4PR22+3TEunpD32bLjtAzd1rr fmvRW2kz37UpHZQYb4NNcv9pJlTCCOaKgQPvitKGTg4vdSBoLFAroUxr7g7lLdpt 14zZuMNwFKuq3TYWaH3P29FopHyTyOrtur9BlfwT0iNYsAUmpL1wF6x6Q67Cl7eN Zu6VSY7g59spMrvTan+XnwfOON6j528PStl+M9Vkseoe+K1z1ch5hqPEbiMbEqrK ogKA+ehu/fve6/MhC1dqou7fTGYTLMfSWjkYAxp+1WPfRbz/7B2aSz+iKeydKEbJ LDPGlhKTNNTTV9zx6lLiAHxKdawXQ/PSvKUEZl1CYU4qSyeb4rA/AW2IkGONhlyG ivtNOtqadiSmtZ0INdUYytoPcCMhoVjylEOHPOquVlU4YAKQRb+ux8Q5ytIwPR/o n0cpfGtZlUayZdNRCz7TwrOsPgF8t70OA7SQFD39PaHk2sjtq5S8Pk58E5KnkoXY 1KvGQz7DS6sCkEVwG1EbnRqZ5naJ13I3tQqSNneL8/p1krPvJzykx+uZ9DT743r3 S9xjVLoOyVrg5WtAnxfx3Yse2Iok2xAU10lgKdbXgvuWLr8EP0OwKikCGU7JRz1Q /vKyU/F90VXrv5EIctyx7ltVqTd9kvNz1PE1jASoZnoEY53E3mM= =Mlhr -----END PGP SIGNATURE----- --=-LSdEfj9iYCN11YKyN9tO-- From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 06 18:51:54 2021 Received: (at submit) by debbugs.gnu.org; 6 Apr 2021 22:51:54 +0000 Received: from localhost ([127.0.0.1]:42295 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTuY6-0003KN-BL for submit@debbugs.gnu.org; Tue, 06 Apr 2021 18:51:54 -0400 Received: from lists.gnu.org ([209.51.188.17]:34996) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTuY5-0003KH-EZ for submit@debbugs.gnu.org; Tue, 06 Apr 2021 18:51:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33214) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTuY5-0002mO-6W for bug-guix@gnu.org; Tue, 06 Apr 2021 18:51:53 -0400 Received: from wout2-smtp.messagingengine.com ([64.147.123.25]:37361) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTuY3-0000p6-AQ for bug-guix@gnu.org; Tue, 06 Apr 2021 18:51:52 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 8A8081286; Tue, 6 Apr 2021 18:51:49 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Tue, 06 Apr 2021 18:51:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=3rZNttmwAKBp5ekEvuYEHfHN qxzLXQ8TZUgl+AgBLLU=; b=lVAau1t+/gEiw9fh2MWamQDk7qTMOTIzUkGls9v7 ExhASpoypGkN7UKELv0dV/2PiaRlmjkNbGNcG8VhbwCQUGZ/gB4NvUfWAgDVR036 OSnTwI78z/FHDRKlzmVMkBclcK+Da7GOkTC7ZRN7qDjRdQ6oorc3JZeN6tiSn3ZG Im4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=3rZNtt mwAKBp5ekEvuYEHfHNqxzLXQ8TZUgl+AgBLLU=; b=mxAJWIZLYl+cXCQqsVbSPU gttWmpfrQkFCtIyoga9RnDHGE9ztqI/Hk/XIjRGaidCGr36jAFYlI5dA4gqWJngf SQJDbQuvbEGgStuBGTa4AWm6m4cKNs3qMg3IRHENl3WVgfxgRaQMnzGxlgIqxEBq U/2zzu6hLMWcr6NRuNzyu3/VciKj2TArG0VCG/LKpNYVOYHbVkBIjtE57QP7qjER 1jwjUIcnbA6pTTguGwwnVfYcIHcJ2lD6E6NKPFGjXQ1S8f+O+PY38Qm8C481OawF bmXOvY4TGhwb7J8Cv3L2k/7XMh5YhzpspecOuUDHY3BjEwacUm+9ToVCLk2EusrQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudejiedgudehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddunecuhfhrohhmpefnvghoucfh rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth gvrhhnpedtheeigefgfefgiedtteeihefhkeffudeiveevheehleetiefgiedvueffkeev jeenucffohhmrghinhepghhnuhdrohhrghenucfkphepuddttddruddurdduieelrdduud eknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgv ohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 9972E24005C; Tue, 6 Apr 2021 18:51:48 -0400 (EDT) Date: Tue, 6 Apr 2021 18:51:47 -0400 From: Leo Famulari To: =?iso-8859-1?B?TOlv?= Le Bouter via Bug reports for GNU Guix Subject: Re: bug#47627: syncthing package is vulnerable to CVE-2021-21404 Message-ID: References: <38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="P8wpwDeUZwqY//ac" Content-Disposition: inline In-Reply-To: <38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net> Received-SPF: pass client-ip=64.147.123.25; envelope-from=leo@famulari.name; helo=wout2-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: 47627@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --P8wpwDeUZwqY//ac Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 07, 2021 at 12:40:03AM +0200, L=E9o Le Bouter via Bug reports f= or GNU Guix wrote: > CVE-2021-21404 06.04.21 22:15 > Syncthing is a continuous file synchronization program. In Syncthing > before version 1.15.0, the relay server `strelaysrv` can be caused to > crash and exit by sending a relay message with a negative length field. > Similarly, Syncthing itself can crash for the same reason if given a > malformed message from a malicious relay server when attempting to join > the relay. Relay joins are essentially random (from a subset of low > latency relays) and Syncthing will by default restart when crashing, at > which point it's likely to pick another non-malicious relay. This flaw > is fixed in version 1.15.0. >=20 > We still ship 1.5.0, we crucially need to update that *very* useful > networked daemon package. With the new go importer maybe that's easier. > Also work in the go build system needs to happen IIRC. >=20 > Previous discussion about updating syncthing:=20 > https://issues.guix.gnu.org/45476 Yeah. Given this report, we could also just build Syncthing with the bundled source code, which is freely licensed. --P8wpwDeUZwqY//ac Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBs5gMACgkQJkb6MLrK fwiwAg/+IftBGQ7ZdZB31FztYTjpcp/jXBMU2h5Nn/O84Y89NVz+ljHrEcKwt2vV rY4SsJosD48FBjLK8Aya6u+MhkYB8XFt7g/ed9nS3f+WFa2mupBJv4PAp9v8XwUT NDwq9fb5CgDic1RqAD7SXFi0QHit0LBf3bK5SvbUEVu93a8ILmACQX78BubPTeMt eLxCPGFWPrBVEmWzCZtbeJFUE5+bBOIS4N5Dt6HQMt8n1jYckjwUGb9ZNnOu4Sdq BcgFZyGrTC4Ou2M4+/UMZMGDnG4n3VdPGFKp4nYItU2W9p5ttI3OqIcLhQk/n7To Omf298qt7AEzFvAQWkLpEJVLzgcTG1C2/6IBf/rijsZdY5jel6NVS3W6gsdYcDV5 +pHoR45+O+OqphVuhTeJgdMf3OteGiKHRovLQ94Ms7y5W/OCtYECUWFgy4H7Dc6O wT0YRdkIeWA6Tz+0cr4nV35RUfxmqPLb+qBk8JoNpdlPlcQ08M2THbtMwb5v1M0A XRjwBe2B/1oW/KdxIUWTJsNpEkijQk78eQpGXVnBfsZs0lMzjCswTxhiDnemDFoe dtf2SD2mWVeyyJ/9BsvzLOK/LfXIiZ4eqEmsE485n+3L3O2fB5yrbcVsHkFsoC3i 49GoeEjrFvxDi2lvsCoIZNzbUlLoeiroo9CLEukJ3X2eaxTe73I= =uZLu -----END PGP SIGNATURE----- --P8wpwDeUZwqY//ac-- From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 08 20:01:42 2021 Received: (at submit) by debbugs.gnu.org; 9 Apr 2021 00:01:42 +0000 Received: from localhost ([127.0.0.1]:48593 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUeae-0006ah-DM for submit@debbugs.gnu.org; Thu, 08 Apr 2021 20:01:42 -0400 Received: from lists.gnu.org ([209.51.188.17]:41442) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUeab-0006aS-RO for submit@debbugs.gnu.org; Thu, 08 Apr 2021 20:01:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41648) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUeab-0000iQ-Jp for bug-guix@gnu.org; Thu, 08 Apr 2021 20:01:33 -0400 Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:56915) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUeaZ-0004Ll-3J for bug-guix@gnu.org; Thu, 08 Apr 2021 20:01:33 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id F0FF8161D; Thu, 8 Apr 2021 20:01:28 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Thu, 08 Apr 2021 20:01:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=ymg66VmiJ1PRuau5sHytN5LF 5xxt9BqO4tm1seltMdo=; b=DDx4vdvQ+oiYL2WPR1XMGkgZ2CLZuYdmOlRpnyiJ lzOsfkaAaX0uEZVSKWx1pNfoG2dXchg+wjtYLHsERBxjuYNeZKTyvT5w1dXS8kh8 UgKGfY/T3vE/+GvdebZkkvm+QXcWGWYG2zzbYIVyEj+MhxXFgJ5n6CHYVKAGXOSF fH4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=ymg66V miJ1PRuau5sHytN5LF5xxt9BqO4tm1seltMdo=; b=Yoe598bmNlCGBZg4xOaKEg 1wcFFr2vw87cmeWCgfTBlWHvg21VlyCUMXeTUMuwRspZZLFMNerz1hn+GMXZXge+ 1r3+VdzV6mCsA7vFRvHnmlNZcFZ3jqxsMPPKDic9cm/0RPZxUWcJPc+q2FFB5+Pg qScqLq2aFd6o402dOTL39/t5R4RgcXArGZIoHU2cqjtXXee2BEpvxin32KoKX4pW yW9pm4hO/ZOdTF9RfaHcnD8CXvZywu4UJpoUcc+qn8pW0u+pNU0jbs0ezzggmfFg 8avu3nJXqP5dz5vfeX40lFRWB4+QZvxRAXymzlqD2uGYnNx0GUmj+Ulo/BjMI4wA == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudektddgvdejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefnvghoucfh rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth gvrhhnpedukeevgeetkeeltefgiedtjefgjeekffduteehvdfhueekudelieekjeefheff teenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 0FA6A240057; Thu, 8 Apr 2021 20:01:28 -0400 (EDT) Date: Thu, 8 Apr 2021 20:01:26 -0400 From: Leo Famulari To: =?iso-8859-1?B?TOlv?= Le Bouter via Bug reports for GNU Guix Subject: Re: bug#47627: syncthing package is vulnerable to CVE-2021-21404 Message-ID: References: <38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="hJNysbSMk7R5YAXi" Content-Disposition: inline In-Reply-To: Received-SPF: pass client-ip=64.147.123.19; envelope-from=leo@famulari.name; helo=wout3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: 47627@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) --hJNysbSMk7R5YAXi Content-Type: multipart/mixed; boundary="wIphN++gTpALrKph" Content-Disposition: inline --wIphN++gTpALrKph Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote: > Yeah. Given this report, we could also just build Syncthing with the > bundled source code, which is freely licensed. I've attached the patch. --wIphN++gTpALrKph Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: attachment; filename="0001-gnu-Syncthing-Update-to-1.15.1-fixes-CVE-2021-21404.patch" Content-Transfer-Encoding: quoted-printable =46rom 86a8d8d9f628ba8dde5d5e3382e56bf83dd4fb1b Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Thu, 10 Dec 2020 14:47:10 -0500 Subject: [PATCH] gnu: Syncthing: Update to 1.15.1 [fixes CVE-2021-21404]. * gnu/packages/syncthing.scm (syncthing): Update to 1.15.1. [source]: Use bundled dependencies. [inputs]: Remove field. [arguments]: Adjust the custom 'build' and 'install' phases for 1.15.1. --- gnu/packages/syncthing.scm | 72 +++++--------------------------------- 1 file changed, 8 insertions(+), 64 deletions(-) diff --git a/gnu/packages/syncthing.scm b/gnu/packages/syncthing.scm index eb6cb7b4e3..e490c41905 100644 --- a/gnu/packages/syncthing.scm +++ b/gnu/packages/syncthing.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =A9 2016 Petter -;;; Copyright =A9 2016, 2017, 2018, 2019, 2020 Leo Famulari +;;; Copyright =A9 2016, 2017, 2018, 2019, 2020, 2021 Leo Famulari ;;; Copyright =A9 2020 Tobias Geerinckx-Rice ;;; Copyright =A9 2020 Efraim Flashner ;;; Copyright =A9 2020 Giacomo Leidi @@ -44,7 +44,7 @@ (define-public syncthing (package (name "syncthing") - (version "1.5.0") + (version "1.15.1") (source (origin (method url-fetch) (uri (string-append "https://github.com/syncthing/syncthing" @@ -52,68 +52,12 @@ "/syncthing-source-v" version ".tar.gz")) (sha256 (base32 - "1394b8y4nllihnjngc0kjpdy7pvyh6v1h09hkn8rdmwxpsdkqkjb")) - (modules '((guix build utils))) - ;; Delete bundled ("vendored") free software source code. - (snippet '(begin - (delete-file-recursively "vendor") - #t)))) + "04b90zwinl7frxrpjliq41mkbhpnkszmhdc5j2vbqwyhd82warxq")))) (build-system go-build-system) ;; The primary Syncthing executable goes to "out", while the auxiliary ;; server programs and utility tools go to "utils". This reduces the = size ;; of "out" by ~80 MiB. (outputs '("out" "utils")) - ;; When updating Syncthing, check 'go.mod' in the source distribution = to - ;; ensure we are using the correct versions of these dependencies. - (inputs - `(("go-github-com-jackpal-go-nat-pmp" - ,go-github-com-jackpal-go-nat-pmp) - ("go-github-com-bkaradzic-go-lz4" ,go-github-com-bkaradzic-go-lz4) - ("go-github-com-calmh-xdr" ,go-github-com-calmh-xdr) - ("go-github-com-chmduquesne-rollinghash" - ,go-github-com-chmduquesne-rollinghash) - ("go-github-com-gobwas-glob" ,go-github-com-gobwas-glob) - ("go-github-com-golang-groupcache-lru" - ,go-github-com-golang-groupcache-lru) - ("go-github-com-jackpal-gateway" ,go-github-com-jackpal-gateway) - ("go-github-com-kballard-go-shellquote" - ,go-github-com-kballard-go-shellquote) - ("go-github-com-lib-pq" ,go-github-com-lib-pq) - ("go-github-com-minio-sha256-simd" ,go-github-com-minio-sha256-simd) - ("go-github-com-oschwald-geoip2-golang" - ,go-github-com-oschwald-geoip2-golang) - ("go-github-com-pkg-errors" ,go-github-com-pkg-errors) - ("go-github-com-rcrowley-go-metrics" ,go-github-com-rcrowley-go-met= rics) - ("go-github-com-sasha-s-go-deadlock" ,go-github-com-sasha-s-go-dead= lock) - ("go-github-com-syncthing-notify" ,go-github-com-syncthing-notify) - ("go-github-com-syndtr-goleveldb" ,go-github-com-syndtr-goleveldb) - ("go-github-com-thejerf-suture" ,go-github-com-thejerf-suture) - ("go-golang-org-x-time" ,go-golang-org-x-time) - ("go-github-com-go-ldap-ldap" ,go-github-com-go-ldap-ldap) - ("go-github-com-gogo-protobuf" ,go-github-com-gogo-protobuf) - ("go-github-com-shirou-gopsutil" ,go-github-com-shirou-gopsutil) - ("go-github-com-prometheus-client-golang" - ,go-github-com-prometheus-client-golang) - ("go-golang-org-x-net" ,go-golang-org-x-net) - ("go-golang-org-x-text" ,go-golang-org-x-text) - ("go-github-com-audriusbutkevicius-recli" - ,go-github-com-audriusbutkevicius-recli) - ("go-github-com-urfave-cli" ,go-github-com-urfave-cli) - ("go-github-com-vitrun-qart" ,go-github-com-vitrun-qart) - ("go-github-com-mattn-go-isatty" ,go-github-com-mattn-go-isatty) - ("go-golang-org-x-crypto" ,go-golang-org-x-crypto) - ("go-github-com-flynn-archive-go-shlex" - ,go-github-com-flynn-archive-go-shlex) - ("go-github-com-getsentry-raven-go" ,go-github-com-getsentry-raven-= go) - ("go-github-com-maruel-panicparse" ,go-github-com-maruel-panicparse) - ("go-github-com-ccding-go-stun" ,go-github-com-ccding-go-stun) - ("go-github-com-audriusbutkevicius-pfilter" ,go-github-com-audriusb= utkevicius-pfilter) - ("go-github-com-lucas-clemente-quic-go" ,go-github-com-lucas-clemen= te-quic-go) - ("go-github-com-willf-bloom" ,go-github-com-willf-bloom) - - ;; For tests. - ("go-github-com-d4l3k-messagediff" ,go-github-com-d4l3k-messagediff= ))) - (arguments `(#:modules ((srfi srfi-26) ; for cut (guix build utils) @@ -136,8 +80,8 @@ ;; updater and to build the utilities is to "build all" and= then ;; "build syncthing" again with -no-upgrade. ;; https://github.com/syncthing/syncthing/issues/6118 - (invoke "go" "run" "build.go" "build" "all") - (delete-file "syncthing") + (invoke "go" "run" "build.go") + (delete-file "bin/syncthing") (invoke "go" "run" "build.go" "-no-upgrade" "build" "syncth= ing")))) =20 (replace 'check @@ -149,10 +93,10 @@ (lambda* (#:key outputs #:allow-other-keys) (let ((out (assoc-ref outputs "out")) (utils (assoc-ref outputs "utils"))) - (with-directory-excursion "src/github.com/syncthing/syncthi= ng" - (install-file "syncthing" (string-append out "/bin")) + (with-directory-excursion "src/github.com/syncthing/syncthi= ng/bin" + (install-file "../syncthing" (string-append out "/bin")) (for-each (cut install-file <> (string-append utils "/bin= /")) - '("stcli" "stcompdirs" "stcrashreceiver" + '("stcompdirs" "stcrashreceiver" "stdisco" "stdiscosrv" "stevents" "stfileinfo" "stfinddevice" "stfindignored" "stgenfiles" "stindex" "strelaypoolsrv" "strelaysrv" "stsi= gtool" --=20 2.31.1 --wIphN++gTpALrKph-- --hJNysbSMk7R5YAXi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBvmVIACgkQJkb6MLrK fwiQRRAA8Bsk6FJzmVKvcm8xYBX9L+mdpueohfpTZZ6QHS6QhufJstmViWCjeIzM dBgzSh2PS9GSx1SNHXXqTd8GaD9wa9/xb+6Yo9bsGT4GKJqZ8a62fBUmWyaj7yFg IIukLwMr7Mn7aZZ/RWQ53gHdoC4ru7JoO7IbebZlTDGpQ22yEBCVPJDLZU9Yw5xx 87tW5LdkpAWoUK06N7HIQVddj0/PJRdGLTGFk//1Tcv+sGEYzSigeEu7w322+xBm YebDTeH9EtcRmh/8n4jSn/ydHqInTXU0cWdceeS9gOYguJUCeZlUr1aDwIQCzzla xBRbcV+OO/mS95gd51cfLVZjhvBPX0T3gLj1dh7JQ7ss/Xsw/wKtP2Ue+IIGr6qc 4gOxeizFi0D7/iXkCHyNalKvYaYNka4JatRBc9ZwPLVCToxT0CKDzbbOKTzH9j2s rO4rWo+qt1b861qpBXnEfuvJOJDKDTWsy6CE87kMpdRT9dgIum08ZhmHZWtc1YWH pGx0ZRZgudfTQNlmPGXscbu19j0xiqae8Q1tMe7cUj/eJuiJ8po6n4Oaa72PAWCM SP9V7zNogYVajDI4mCzsxvxDwJ48P/K79I9BlFuxYWrEXvwdO2pJjtwA4bQJCSIO R/KX/xk92gfbqjf0D0ZSRGSRtbzgV+uTsDO5NkIIS4GEUb8dwTE= =flkF -----END PGP SIGNATURE----- --hJNysbSMk7R5YAXi-- From debbugs-submit-bounces@debbugs.gnu.org Sun Apr 11 20:28:04 2021 Received: (at 47627) by debbugs.gnu.org; 12 Apr 2021 00:28:04 +0000 Received: from localhost ([127.0.0.1]:56066 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lVkQu-0006GG-Hq for submit@debbugs.gnu.org; Sun, 11 Apr 2021 20:28:04 -0400 Received: from mail.zaclys.net ([178.33.93.72]:43573) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lVkQt-0006Fl-3M for 47627@debbugs.gnu.org; Sun, 11 Apr 2021 20:28:03 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 13C0Rtn4034975 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 12 Apr 2021 02:27:56 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 13C0Rtn4034975 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1618187276; bh=3Wc35OKC/SATMh+Dh3U+WgqPYT9kfD7RCgxD+PPbjVE=; h=Subject:From:To:Date:In-Reply-To:References:From; b=FiGCN24yqCCiHI0/9FNZp+Jupev62lgqZ1jJWBM/PFv/66FG3OEX77fmKafnQdmHw WBcRJhjj+cl8Q09kYLtKAb+SMcKlU2GEOAxZDtQf6kyMqMjROIZMh16EAbiVDi1p7a alpZpra5/kzkzPHm8dQNODgW6bJ7yl00I9iV7meM= Message-ID: <1594339afcb287329f672249f6ae8ad89e8dbba3.camel@zaclys.net> Subject: Re: bug#47627: syncthing package is vulnerable to CVE-2021-21404 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: Leo Famulari , 47627@debbugs.gnu.org Date: Mon, 12 Apr 2021 02:27:51 +0200 In-Reply-To: References: <38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-DGoSoZS6s6IQY7uQZ9L9" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47627 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-DGoSoZS6s6IQY7uQZ9L9 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote: > On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote: > > Yeah. Given this report, we could also just build Syncthing with > > the > > bundled source code, which is freely licensed. >=20 > I've attached the patch. I tested this patch on my system, works great with the syncthing service also. LGTM from me. --=-DGoSoZS6s6IQY7uQZ9L9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBzlAcACgkQRaix6GvN EKbWRQ//d/3d2AB+ysC3od88/Tna7CwkaoQlupCLDZhzc0of3AcK2Y2aKsCpiWek +QGcBD9Aamiu4G5H3rt7tt1Cs3mN9Huf4GyGoq+i9Veqk7K0JC4L1d+BAklfV/un lr2/UT3MSgWQAttflxHPpj+YxIQt10IjGfiZ1jMXGsA3figD8Q/cmyIwDvmDygmj POrkSFPijmbvFHDX8hUm7Y5Oss8lpy+p9S39ChRWY60aTfJr3QZ+IpZ42v4E8udd KucpizY/LybEj++wlqBWErJYaUCBfYXPQ7RnV9ObWUcvm2Xt4LFRBvuhVgDWmGop sLfGSURRZFFDW1GLOnCJBI7MSrvL7Ur82hv3DPYSOkwgJf5KOvVtuhAqenPME0iB f+kVPRU2Ax6VNyMIgoIOdnmrbba5vqeRmoBRxgPOZ+3X1IK/T0CG2BvvmQoOWnXn Bxn5qwZ7kklVPe6saWiorH95eLml5sJMaEyn7o/zLk28t2cB9cLPSukvhf1sAaDz wNRuFEDty5O10N1GyhkGRyRIK7UeZw40hUZPq3l6ES9frwod+BYjsW/HBk8/pv8W Pk3bDohF2K6AO/Iz0Wt9BIrmwFaA3scrbNp+dAQ3hZwMGnwJizO3DVvSwYjGXpdf ZjoKMJS1QVV5fuo9oVnWzNkADlps03ella0CT+cvsaNn7MWrXSo= =66/c -----END PGP SIGNATURE----- --=-DGoSoZS6s6IQY7uQZ9L9-- From debbugs-submit-bounces@debbugs.gnu.org Sun Apr 11 21:55:05 2021 Received: (at 47627-done) by debbugs.gnu.org; 12 Apr 2021 01:55:05 +0000 Received: from localhost ([127.0.0.1]:56102 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lVln7-0008Kp-ET for submit@debbugs.gnu.org; Sun, 11 Apr 2021 21:55:05 -0400 Received: from wout2-smtp.messagingengine.com ([64.147.123.25]:34569) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lVln6-0008KH-6j for 47627-done@debbugs.gnu.org; Sun, 11 Apr 2021 21:55:04 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 034D31619; Sun, 11 Apr 2021 21:54:57 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Sun, 11 Apr 2021 21:54:58 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=TarvaWIP1C9+eqbIKN4B2Ps9 bOoYAWNZy3H+PTWm5ZA=; b=w/IYrDLzEfz+a+geTghPKoaQqkZ055ecloOJ3N2H K+9oORjaCcG/armSyImQkzjM5RnbW+YHnejtB0Gam+TK7xLBpExHj0CrYCxMZZSq Fgjkgk4FSIk+74jhGnKb0TwzZ8fpEoMeakELssslwqlMtCqZs/PX04LuGpj/JB6Q RJY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=TarvaW IP1C9+eqbIKN4B2Ps9bOoYAWNZy3H+PTWm5ZA=; b=G/U+zs+RKAoU3+w4LO//w5 2+9A+z6x5IDmXGyOQpMh4P9CGoP17hJ0hpseQ/s991foo4m8ZiPpN46E4bLUaf+l oHMj52xnTMOpniAAflYE818CK0O8cUbi2r26TPWHalVd5G4uWX2la5TjOLzCWO9r 79/yomdAg65CLPckhuLwxEot/j2DWf61AeFp8PgEPFOnnCVXk9oQBXP/N/Z8Ceig wLuEhn43HTw08XIgr/FlS230DM5DBzPgiFip4lEWhymjzE/dz2gQw4VKvHxp+mxn lIT8y99G241eWcumYRQpVfS3gK5doAqZD/ck/jlm9+9laXDcEvWRgJBFOg9iOQ4Q == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudekiedggeekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesghdtre ertddtudenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgr rhhirdhnrghmvgeqnecuggftrfgrthhtvghrnhepudfhffevhedtgfejveelfeeukefhtd dvffetgeeuiefgvedvkeefieejfffgffelnecukfhppedutddtrdduuddrudeiledruddu keenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvg hosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 50D2D1080054; Sun, 11 Apr 2021 21:54:57 -0400 (EDT) Date: Sun, 11 Apr 2021 21:54:55 -0400 From: Leo Famulari To: =?iso-8859-1?B?TOlv?= Le Bouter Subject: Re: bug#47627: syncthing package is vulnerable to CVE-2021-21404 Message-ID: References: <38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net> <1594339afcb287329f672249f6ae8ad89e8dbba3.camel@zaclys.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="0Cl3Ctx39BkLCSBE" Content-Disposition: inline In-Reply-To: <1594339afcb287329f672249f6ae8ad89e8dbba3.camel@zaclys.net> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47627-done Cc: 47627-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --0Cl3Ctx39BkLCSBE Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 12, 2021 at 02:27:51AM +0200, L=E9o Le Bouter wrote: > On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote: > > On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote: > > > Yeah. Given this report, we could also just build Syncthing with > > > the > > > bundled source code, which is freely licensed. > >=20 > > I've attached the patch. >=20 > I tested this patch on my system, works great with the syncthing > service also. LGTM from me. Thanks for the review. Pushed as ed3ef756f521a0df8596a88b66f65b7a1ad99252 --0Cl3Ctx39BkLCSBE Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBzqG8ACgkQJkb6MLrK fwh2LBAAhzCyPbj7IJqDlBY0knvNDUcAjZPStM0X4TZxwUtPlyrd1vqOzHIs0ww6 7G/tIdm+A9NWH/jOr/y1ixw4Z7/tuuaHEVG2hdTawuIIub1HAJiB/zKYB0cKE8qV dTyPO+1msZY3/H3yvPVVycGvM20t4jst3XjOwWA2y32VFHxEfh5zCfcxUIdE8t8v gl2iKTm/uK13PtEAKKK1tLkUtGuMMa26UdA8JN9bMvpN57BKaRGjyPzeoi7wGFpN BEPC3GPujo0aXK4a0Xnd5W+Um0ZMhDvhRVnaypkvVfoyHnUp9XvA7JUKq7rGkj25 QgJxawx2HXXWo0z5ynab/EFS0GaWFW8udM/IBpYkVXTJiDF7swltQRaHjmrfSkyt PcXBoAo2KvCecPczzSrFhZIur3Z+szjyscUronxKBYcE6jpQSK5q41eShMiKoTAu G6wuF5YkdwD6jiCuUpbwKg8v9cZI34attpWzalfT42Vg180JFeLW31tJvpQNumql xt4o3jDsOfFw8O2qoWQokaSd9+bhW9RL7+D+J6N/iTxejnyIrgzK1B/Bg20GpYT/ zz8VlPqp31p1m+NNXHl2satLHzp/kCaUalnxJB3e9OlgwxCinFQGElOCT8mlxZQQ Rok91siV7s2cWRwCBtWOfr/8G2JDIq8M6Eq7+R4XEDRV0mgWXrU= =aK40 -----END PGP SIGNATURE----- --0Cl3Ctx39BkLCSBE-- From unknown Sat Aug 09 04:56:07 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 10 May 2021 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator